The fix used to correct CVE-2006-2940 introduced code that could lead tothe use of uninitialized memory. Such use is likely to cause theapplication using the openssl library to crash, and has the potential toallow an attacker to cause the execution of arbitrary code.

For the stable distribution (sarge) these problems have been fixed inversion 0.9.7e-3sarge4.

For the unstable and testing distributions (sid and etch,respectively), these problems will be fixed in version 0.9.7k-3 of theopenssl097 compatibility libraries, and version 0.9.8c-3 of theopenssl package.

We recommend that you upgrade your openssl package. Note thatservices linking against the openssl shared libraries will need to berestarted. Common examples of such services include most MailTransport Agents, SSH servers, and web servers.

Upgrade Instructions- --------------------

wget url will fetch the file for youdpkg -i file.deb will install the referenced file.

If you are using the apt-get package manager, use the line forsources.list as given below: